Thursday, 28 September 2017

Parliamentarians will soon be debating the
merits of the Data Protection Bill, and I’m wondering whether much
consideration will be given to the implications of the proposal to gift
citizens with “free” Subject Access Requests.

What parliamentarian might oppose such a
measure? After all, what’s not to like about “free” stuff?

But hang on a minute. This stuff is not
“free”. Citizens will pay for it, in the end, through increased charges, as
business costs rise for data controllers.

That's obviously not really an issue if the
cost implications are marginal.

But a good number of the data controllers I
am in regular contact with have no real idea of the cost implications of free
subject access requests. I’m regularly asked about the contingencies other
organisations are making, as they are finding it very hard to make any plans
about what additional resources might be required to ensure that the new SAR
timescales are met, and that (potential) draconian fines for non-compliance
with the new standard are not imposed upon them by the regulator.

How many additional staff should be trained
on dealing with SARs? Where can expert
advice on SAR exemptions be obtained? Can professional advisors be held on
standby just in case the client needs access to specialist advice in a hurry?
If no one has an idea of the potential costs, who within the organisation will
approve the budget that may be required to deal with these contingencies? These
are the sorts of questions that I regularly hear being asked.

While many of the organisations I deal with
are currently facing relatively low levels of SARs currently, they really don’t
have a clue as to how “their” customers’ behaviour will change when the ability
to charge a £10 fee is removed.

And this is before citizens rights groups
encourage individuals to vent their frustration on an organisation through the
weapon of the SAR.

If I were Ryan Air, for example, I would be
seriously worried. That company has already managed to upset many thousands of
its customers through recent changes to its flight schedules, and a good few of
them might feel minded to give it a good administrative kicking by forcing it
to deal with a tsunami of SARs. Just for the hell of it. Don't get mad – get your SAR instead.

So what’s the solution?

If I were a cautions Parliamentarian, I
would amend the Bill by proposing a review mechanism, enabling the Secretary of
State to reintroduce SAR fees if, in the light of experience, data controllers
faced significant hardships in dealing with free SARs.

What does this mean?

It would enable the new Data Protection Act
to be amended in the light of empirical evidence about the implications of the
measure. No hard evidence currently exists as to the implications of “free”
SARs in the UK. So lets see what will happen over the next two years. Granted, data controllers in other EU countries that currently
have a “free” SAR regime experience relatively few difficulties in dealing with
SARs. But perhaps that's because the culture in those countries is that
citizens make relatively few SARs. This cannot be said to be the case in this
country – especially when the complaints logs published by the ICO so
frequently mention frustration with SARs as a key complaint area.

Would this proposal enrage the data
protection community?

To be frank, any proposal can enrage some
sections of the data protection community. The Privacy Taliban might well see this
as an outright attack on the fundamental rights of individuals, and therefore
something to fiercely oppose. But it
isn’t a fundamental human right to expect a free SAR. That’s why our data
protection laws have always provided for modest SAR fees. For those that
support the principle of “free” stuff, of course there will be opposition.

But the majority of the privacy community
might take stock and agree that it would be helpful to continue with the
practice of evidence-based policy making. And if the evidence, based on actual
outcomes, turned out to significantly different to what was expected, any
unwanted (and unforeseen) implications could be dealt with in due course.

Friday, 22 September 2017

Whenever I visit a clinic for a health
check, I’m asked a slightly different set of questions. Each clinic is very
professionally run, and, until recently I haven’t been unduly concerned that
the same questions aren’t always asked. I’ve generally been healthy, so I guess
there was never any real need for the medical profession to probe too deeply.

So, why should I be worried about different
questions being asked about data protection? How deeply should professionals
probe into the 'data protection' health of an organisation?

The question arose because I’ve recently
had an opportunity to compare my methods with those practiced by a chum in
Austria. When I’m asked to probe an organisation, I review it through the lens
of some 45 controls. When my Austrian chum probes, he uses a similar
number – for starters – but might then extend his examination to cover some 200 controls – each of which can be specifically linked to GDPR requirements.

And these are just GDPR controls. He told me that, in Austria, some projects necessitated the use of a
further 30 or so controls, to reflect specific aspects of Austrian data protection legislation.

So, he was happy that the GDPR might
involve him dropping up to 30 redundant controls. But, what might my
clients might say if I slipped into the next conversation that what I needed to
do was focus not just on my initial 45 controls, butan additional 155. How would that go
down, I wondered.

Tell me, fellow data protection professionals, how
many controls are sufficient for an organisation to rely on? Should it simply rely on the controls that the
ICO uses in its “Getting Ready for the GDPR” checklist?

Or should it introduce more? – and if so,
just how many more?

The answer, obviously, depends on the
extent to which the organisation’s processing is likely to harm individuals,
and in particular how much harm could be caused to how many individuals.

My Austrian chum might well have been right all
along -perhaps there are a significant
number of organisations that need his “full fat” suite of over 200 controls.
And perhaps I have been misleading clients into believing that my set of 45 was sufficient.

I won't know whether I have been misleading anyone until a data
breach has occurred and the ICO’s enforcement team has decided that an aggravating
factor in the case was the organisations decision to rely just on my initial
suite of 45 controls.

So, I’m praying on my initial hunch that my ‘suite
of 45’ will be sufficient to prevent a reportable breach for which the inadequacy of my control set was partly responsible.

Saturday, 16 September 2017

Parliamentarianswho are tasked with scrutinising the Data Protection Bill have an
inenviable job. Can there
be a less desirable appointment than siting on a Parliamentary Committee,
scrutinising text that many seasoned data protection professionals have thrown
their arms up in the air in despair over?

Given that the Bill is intended to last a generation, (the current
Act will have lasted 20 years by the time of its repeal) , surely we deserve
something we can more readily understand. Not just something that will keep
Robin Hopkins QC, Anya Proops QC, their other colleagues at 11 Kings Bench Walk and many, many, many other data
protection lawyers in clover for their rest of their working lives.

Is it really necessary for this Bill to be such a gorgeous gift to
the legal profession?

Is it really necessary for hard working data protection
professionals to have to work so much harder to master the details of such a
complicated proposal?

Is it really necessary for citizens to have “rights” that are so
hard to define and comprehend?

I appreciate, though, that turkeys don’t vote for Christmas. And if we data protection
professionals want to earn stratospheric salaries, which many of us do, (but
not all, I grant you) then obviously the secrets of privacy witchcraft
must be restricted to a select few.

I’m pretty sure, however, that the “select few” won't include the
parliamentarians who will be charged with holding the Government to account
with regard to the Data Protection Bill.

If my experience is anything to go by (my experience being limited
to following the passage of many bills though Parliament and being
appointed specialist advisor to two joint parliamentary committees, one
scrutinising the draft Communications Data Bill in 2012 and the other
scrutinising the draft Investigatory Powers Bill in 2015-16) the
parliamentarians doing the scrutinizing are going to need all the help they can
get.

In my experience, as well as relying on evidence from government
officials, a selection of the usual suspects (industry reps, civil society,
lawyers, possibly a token celebrity & the ICO ) will be invited to give
evidence – and the role of the parliamentary committee member (ably supported
by the Committee secretariat) is to assess the evidence that is delivered to
it. Evidence carries weight not in terms of how many witnesses make the same
point, but whether that point is actually any good.

Witnesses were extremely generous in providing evidence to both
parliamentary committees I was involved with. Civil Society and academics were
particularly generous (ie verbose) in their comments – but fortunately as many
of them had conferred in advance of submitting their evidence, a lot of the
text submitted was remarkably similar / identical to that submitted by others
among their cohort. So, quite a few submissions didn’t take that long to read
and take note of.

But one of the most important pieces of evidence was a Keeling
Schedule.

Keeling Schedules can be used to help explain to parliamentarians
what are new bits of law, and what are restatements of existing law. They are
very helpful when the Government is claiming that it is simply consolidating,
or amending legislation. At
a glance the schedule will tell the reader what is already on the statute book - and where it is - (which is
something that parliamentary committee members may decide not to unduly concern
themselves with), and what is new. It’s the new stuff that's critically
important for Parliament to get right.

Robin Hopkins QC, Anya Proops QC et al, will already almost
certainly have a view on the meaning of the existing law. But the new stuff –
that's the exciting stuff, and that's the area of law for which maximum clarity
is most desirable.

So, what all Data Protection Bill scholars really want to know is
what the new stuff is – amidst the 218 pages, 194 Clauses and 18 Sections of
the recently released text.

How do parliamentarians get hold of a Keeling Schedule for the
Data Protection Bill?

Easy. The parliamentarians appointed to the relevant Bill
Committee, through the Committee Chairman, just need to ask the DCMS Bill team
to prepare one (or, more likely, to share the version they already have). The
minister may find he doesn't have that easy a ride if he can't provide a
convincing explanation as to why the parliamentarians charged with scrutininsng
the Bill can’t be provided with one.

The bill is, after all, one of the most significant pieces of
legislation facing Parliament this decade. I’m sure that the parliamentarians –
and the DCMS – only want to get it right.

But that requires clarity and transparency - the sort of thing the Bill requires
of data controllers and data processors.

So, lets see how Parliament leads by example, and delivers to us a
statute that we can both be proud of and understand.

Sunday, 10 September 2017

A huge percentage of the organisations I’ve
recently come into contact with have little chance of becoming “GDPR compliant”
by May 2018.

To be fair, a good proportion of these
organisations have spent the past decade or so ignoring the professional advice
that's available on how to better comply with the requirements of the existing data protection legislation.

The task, which is (a) to understand just
what is required of them by the GDPR; and (b) to implement the necessary
measures, is simply overwhelming.

Organisations with little or no concept of
records management, and with little or no concept of how long they need to keep
information for in order that they can met their own business requirements,
will find “compliance” a particularly difficult challenge.

Some organisations appear to think that
self-proclaimed (and yes, sometimes self-certified) GDPR “experts” will,
for a not inconsiderable fee, apply their special brand of privacy witchcraft and, with
a fistful of pre-prepared policies and procedures, sprinkle compliance stardust
into areas that other policies daren’t venture.

Some organisations appear to think that all
that's required is a quick visit from "experts" who will offer an outsiders’
view of issues they know nothing about, and that said "experts" will do
their stuff (and map those damn data flows) without
anyone else ever needing to change the way they work.

No.

The problem with data protection compliance
is that a successful compliance programme requires people at every level of an
organisation to comply.

Well, that’s too simplistic.

The real problem with data protection
compliance is that a successful compliance programme requires people at every
level of an organisation to appreciate what risk the organisation is running,
as a result of its information management procedures, and to appreciate whether
particular risks are within the organisation’s risk appetite.

So, the first step is for an organisation
to define its risk profile. Then it can take a decision on the extent to which it
will address data protection (and, more specifically, the GDPR’s requirements.
Then, and only then, can it embark on a change programme to implement the
relevant improvements.

Can most companies manage this by May 2018?
Or can they evidence that they can meet their accountability obligations?

Especially when there’s so much scope for
interpreting the GDPR in different ways?

I’m not optimistic.

I’m certain that many companies are trying
hard, though. And I know that many other companies would like to comply, but
they simply can’t obtain the professional support that's necessary to convert
the language of the GDPR into terms that most people can readily grasp.

My sympathies are also with regulators who
are put in a pretty dreadful position by the text of the GDPR. First, they have to decipher
certain GDPR requirements and put their own spin on the meaning. Then, they
need to contemplate taking enforcement action against organisations who disregard said
spin.

Also, being in the position of (theoretically)
being able to take significant enforcement action against virtually every data controller in the land for some GDPR transgression or other will present challenges as the more enlightened data protection regulators strive to foster a close and
constructive working relationship with these data controllers.

Perhaps we need a further 2 year transition
period so that the Data Protection Board can get its act together and issue
clearer advice with regard to the new requirements (i.e. those that weren’t
already enshrined in domestic data protection law), before national data
protection regulators take it on themselves to contemplate enforcement action against organisations that breach
the new requirements.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.